ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Yahoo breaks every mailing list in the world including the IETF's

2014-05-19 14:29:13
from [Fred Baker (fred)] [Permanent Link] 
Several people have replied to the tone of your email. Let me reply with a bit 
of somewhat-technical commentary.

In their defense, Microsoft has taken a pretty strong approach to software 
quality over the past decade plus. Frankly, poor software quality has hurt 
them. It is in their interest to fix it for several reasons, not just this one. 
That is perhaps one of the best arguments for their current campaign to move 
their users from Windows XP-and-older to their latest operating systems - it 
reduces their support costs and improves the quality of their brand.

You may be interested in the outcome of a research project run by Stefan Savage 
of UCSD. In 2007, he broke into the Storm Botnet, and learned a bit about it, 
which he published in a paper in 2009. In 2010, he put a small quantum of money 
on a disposable credit card and started responding to spam (“yes, please sell 
me your little blue pills”), and published a paper about that in 2011. That 
enabled him to follow the money flow - fourth level attribution, if you will. 
His work came to the attention of US DOJ, which is now recommending it as an 
approach to investigating spam-related crime, and to the Microsoft Digital 
Crimes Unit, which has been using legal proceedings against the folks who pay 
botmasters for their craft, with deadly effectiveness.

I think it’s fair to say, from Microsoft’s actions, that they agree that 
getting their old software off the net would be a good thing. They want their 
customers to upgrade to their new-and-presumably-improved software, and are 
proactively dealing with the business side of spam.

On May 18, 2014, at 10:30 PM, Eric Dynamic <ecsd(_at_)transbay(_dot_)net> wrote:


Meanwhile I notice that hundreds of IT professionals spin their wheels over
standards and practices for dealing with spam, which is otherwise preventable,
namely, let's cut the crap and go to first casuses: why there is spam/crime to
the extent that there is: bad software running user PCs worldwide.

Get rid of Microsoft software connected to the Internet and the worldwide
"bot-net" problem will go away in a few months, as the criminal bots are
tracked down and eliminated but NOT replaced.

Do not even begin to bother the issue of whether Unix/Linux can or cannot be
invaded/compromised. Yes, it can, but to at most four orders of magnitude a
lesser extent. Microsoft's mean time to the next exploit is 15 days (two 
weeks.)
Unix's mean time to the next exploit is 2700 days (7.5 years.)
Microsoft users are just recovering from any given virus when the next one 
hits.

There is just no excuse to keep using such awful software and then have to
pretend that all the extra attendant nonsense ("anti-spamscience") is 
meaningful
and necessary. I suggest we worldwide quit wasting man-hours and intelligence
doing scutwork on an arms-race basis to keep Bill Gates's company looking
at best adequate. The spam is their fault and they can't fix the reasons why.

So put their code in the garbage where it belongs and retire Microsoft into
the Dustbin of History where it belonged 20 years ago.

This will free an enormous amount of now-wasted manpower to start doing more
useful things. This would also greatly benefit the economy and the development
of new PC technology, by the way, without regard to spam/crime.

===

S Moonesamy wrote:


Hi Phillip, 
At 10:04 17-05-2014, Phillip Hallam-Baker wrote: 

Yet more special pleading. 


[snip] 


A legitimate argument against DMARC would be 'Here is a research study 
based on empirical evidence that shows DMARC does not help'', it might 
not be persuasive but it would be a valid argument to have. I am 


Yes. 


I find the arguments that IETF should ignore the impact of DMARC 
unpersuasive. We have changed email repeatedly in response to non 
standards compliant actions taken by the spam senders. So there is a 
precedent for responding to malicious actions, why would we treat 
non-malicious actions differently? 


The significant change I can think of is the MSA/MTA split.  That was in 
1998.  There is a specification violation in response to a DMARC policy as 
implementers do have to decide whether to provide a fix or ignore the issue. 
 There are also operational issues, e.g. 
http://www.it.cornell.edu/services/guides/email/issues.cfm  Should the IETF 
ignore the impact of all this?  Frankly, I don't know.  It is a significant 
amount of work to assess how much of a problem this is. 

Regards, 
S. Moonesamy

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Yahoo breaks every mailing list in the world including the IETF's, Phillip Hallam-Baker
Next by Date:  Re: Yahoo breaks every mailing list in the world including the IETF's, Phillip Hallam-Baker
Previous by Thread:  Re: Yahoo breaks every mailing list in the world including the IETF's, Eric Dynamic
Next by Thread:  Re: Yahoo breaks every mailing list in the world including the IETF's, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]